There is a little password app that I’ve been using for years that works great, called iPassword. It purports to have 256 bit AES encryption, and all data is kept on-device. My question - is it possible for a developer of an app to actually have any data secretly transferred behind the scenes? Does iOS security somehow prevent this?
I know about 1Password, and all the accolades it receives, but I’m really not entertaining using it. All I want is a simple on-device app that is secure, but I do wonder if a nefarious developer can somehow secretly code their app to bypass iOS security and “write home”.
There is nothing iOS does to prevent or even notify the user when an app sends data over the network. Even the spinning network indicator can be shown or hidden at will by the developer.
That’s why trust is so important for critical apps and probably why so many are using 1Password even though fhey don’t need most features the subscription offers.
Short answer: yes, the developer could grab all the passwords you enter into the app. If you have reason to not trust the developer, don’t use the software.
I find it more likely that data colud leak due to a flaw in implementation of the encryption, bugs in the code or using an easy to guess password. The developer would be in deep trouble if password stealing were to be discovered.
As a developer they really is nothing that stops you doing such a thing physically.
However customer trust is the backbone of every software company, the value proposition is not there to be stealing stuff like that because the risk reward sucks, maybe I steal some guys passwords, and maybe people find out and the PR drives me out of business.
The best strategy is still to develop a reputation for quality work, build an audience and use that to sell more product, a return customer has infinitely more potential value then a lost customer.